Root cannot start graphical session

I had an issue where I needed root / single user mode & couldn't get it, what I did was boot with init=/bin/bash as a kernel parameter then did "passwd root" to enable the root account, root account can always be disabled again once things are sorted, or just secured with a really good password and not used except in emergencies. A good secure password on an enabled root account does get round the issue in that bug though. Your mileage may vary and you may have other hoops to jump through using LVM particularly if it's encrypted though.

You don't get the choice to enable root in the bunsen installer, not even in advanced mode, at least not without passing parameters prior to booting the installer, if you do enable the root account you can't login from the graphical login screen without also editing files, and root doesn't get a bunsen-style environment set up without edits either. The devs are real "use sudo not root" fanatics, it does protect users from doing silly stuff like rotinely logging in as root and browsing the interwebs, or giving root a bad 5 character password, but it's not *all* gain.

Blessed is he who expecteth nothing, for he shall not be disappointed...If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Re: Root cannot start graphical session

Bearded_Blunder wrote:

You don't get the choice to enable root in the bunsen installer, not even in advanced mode, at least not without passing parameters prior to booting the installer, if you do enable the root account you can't login from the graphical login screen without also editing files, and root doesn't get a bunsen-style environment set up without edits either.

The devs are real "use sudo not root" fanatics...

That's uncalled-for IMO. BL is standard Debian and it's extremely easy to enable a root account after installation if you want.

It is, though, certainly not recommended to run a graphical session as root. Many of the apps are insufficiently secure. Keep it for system work on the terminal.

Re: Root cannot start graphical session

Well maybe fanatics is a bit harsh, and yes enabling root isn't *that* hard, it is multiple steps for anything bar logging in at a tty though. And it's not obvious why lightdm dumps root back at the login screen if you enable the account (or at least did in Jessie) when you try to login that way, you have to go digging to find out why that doesn't work.

"Standard Debian" the installer asks if you want the root account enabled yes or no... you don't get the user with sudo and locked root account setup by default and unasked without intervention.. So saying it's "standard" is stretching a point. "Standard" on Ubuntu so far as I recall.. not Debian. I do recall seeing people being jumped on for asking how to enable the root account though.. maybe not by yourself, but certainly by another person I won't name since they're no longer in evidence to defend themselves.

Generally "least privilege" is good security, but there are times when you're doing a string of administration, and sudo becomes a PITA.There's a tradeoff though, it's dead easy to unlock a locked root account using stunt mentioned up the thread a little, it's slightly harder if root *already* has a secure password, though to be fair not that much with physical access to the machine.

Then again, short of full disk encryption, if you have physical access it's game over security wise.

Some ways I actually like Microsoft's compromise on servers, they have the browser screwed down to the point you avoid using it. But you can at least login as admin to administer. These days basically it's the browser that's the attack surface, running a browser as root would worry me way more than a graphical session per-se.

Last edited by Bearded_Blunder (2019-01-09 03:45:46)

Blessed is he who expecteth nothing, for he shall not be disappointed...If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Re: Root cannot start graphical session

Bearded_Blunder wrote:

Well maybe fanatics is a bit harsh, and yes enabling root isn't *that* hard, it is multiple steps for anything bar logging in at a tty though.

And logging in at a terminal or TTY is all you should be doing with a root account IMO. I think trying to enable a graphical login for root is crazy dangerous, and if you choose to call that fanaticism, so be it.

BL does allow running a few selected graphical apps with root privileges, via the policykit mechanism: thunar, synaptic and gparted are already setup that way OOTB, and we added bl-text-editor. (discussion here) Any of these can be called with pkexec, but I really wouldn't recommend running a full graphical desktop as root.

And it's not obvious why lightdm dumps root back at the login screen if you enable the account (or at least did in Jessie) when you try to login that way, you have to go digging to find out why that doesn't work.

My guess is that it doesn't work because no-one thinks you should be doing that.

"Standard Debian" the installer asks if you want the root account enabled yes or no... you don't get the user with sudo and locked root account setup by default and unasked without intervention.. So saying it's "standard" is stretching a point.

The installer is slightly customized, but the system it installs is indeed standard Debian (+ a little beautification). The standard Debian installer also allows sudo user setup - the only difference from ours in that respect is that BL hides the option to enable a root account. It's so easy to add afterwards that I don't see it an a major issue.

I do recall seeing people being jumped on for asking how to enable the root account though.. maybe not by yourself, but certainly by another person I won't name since they're no longer in evidence to defend themselves.

I don't recall that, although for most people sudo is fine. Anyway, here's one former team member suggesting 'sudo passwd root' which I've just tested:

Re: Root cannot start graphical session

If he is, because like me he's happier troubleshooting in a graphical environment... then

su --login username

Followed by

startx

Would be the first thing I'd try.

johnraff wrote:

...it's dead easy to unlock a locked root account using stunt mentioned up the thread a little, it's slightly harder if root *already* has a secure password...

As long as you can remember your own password then 'sudo passwd root' ought to work.

Yes, but hopefully the hypothetical miscreant booting the system with init=/bin/bash doesn't know *my* password, I'd rather he had to know at least *one* to gain access than just be granted root access.

I'ts OK I do get that it's not the best Idea to run a graphical environment as root, and I rarely do so.. still think it's up to the individual though if they want to, with due caution given.. Many years ago, one of the distros used to give root lairy red wallpaper covered in bombs as a visual cue.

johnraff wrote:

And logging in at a terminal or TTY is all you should be doing with a root account IMO. I think trying to enable a graphical login for root is crazy dangerous, and if you choose to call that fanaticism, so be it.

Not being able to after enabling the root account isn't *expected behaviour* though, "Standard Debian" pick any DE you have the root account enabled, you can get a graphical login as root, Bunsen just bounces you back to lightdm-greeter.. no explanation, no nothing.. and it takes digging to find out it's because the user-setup script failed...

My own stance is that what you do with the root account is down to the computer's owner - protecting users from themselves is all very well.. but what you end up with is Windows.

Last edited by Bearded_Blunder (2019-01-09 22:47:51)

Blessed is he who expecteth nothing, for he shall not be disappointed...If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Re: Root cannot start graphical session

Bearded_Blunder wrote:

johnraff wrote:

...trying to enable a graphical login for root is crazy dangerous...

Not being able to after enabling the root account isn't *expected behaviour* though, "Standard Debian" pick any DE you have the root account enabled, you can get a graphical login as root, Bunsen just bounces you back to lightdm-greeter.. no explanation, no nothing.. and it takes digging to find out it's because the user-setup script failed...

Thanks for this bug report. It is a reasonable complaint - failure of the user-setup script is not intended to cause startx to abort. If you don't mind, I think it's time to split this discussion away, so as not to further complicate beng's issue.

---Anyway, agreed, regardless of whether root running a graphical environment is sensible in anyone's opinion, it shouldn't be impossible.

The user-setup script is run from /etc/X11/Xsession.d/22bunsen-user-setup which holds:

So even if bl-user-setup exits 1 it shouldn't stop startx. And on my Helium test VM it didn't.

I created a root password, switched to a new tty, logged in as root and ran startx with no problems. I got a plain black default openbox desktop and the default minimal openbox menu, which is exactly what you would expect. The menu "exit" closed it and returned to the tty:

---Three points:

1) I don't think it would be reasonable for root to be given a standard BL user desktop. (That's why bl-user-setup exits if run by root.) There's just too much there that shouldn't be run as root - various daemons, environment variables... Anyone who really wants a root X environment should set it up themselves from the standard Debian tools (and be extremely careful).

2) What exactly is it that you'd like to do in such an environment anyway? You can already get a root terminal, file manager or text editor from the standard user desktop - is that not enough for the admin jobs that root would be doing?

3) I recall you mentioned being dropped back at the LightDM login. I don't see how you could even expect to log in to root from there, TBH.

Re: Root cannot start graphical session

If he is, because like me he's happier troubleshooting in a graphical environment... then

su --login username

Followed by

startx

Would be the first thing I'd try.

Was aimed at The OP in the thread this came from, they seemed confused that all got logging in as root was a command line interface. So I suggested switching to their own user account.. *then* starting a graphical session. Partly from prudence, and partly because the bare openbox session root gets by default in Bunsen wouldn't be much more comfortable for a GUI oriented user than the CLI is.

The rest is about root logins generally.

Now personally I found it rather confusing having enabled the root account & trying to login at the usual login screen that I couldn't, and there was no explanation why, and no error, at that time I had way less idea about how Debian (or Linux in general) works, and even less about how Bunsen is configured, as a very long time Windows user, at the time I wasn't even aware you could Ctrk Alt F1 and login at a TTY..

Used to "The login screen" being what there was, and Live CDs being the only way round failures, wasn't until later that I resolved my confusion, in the course of joining Bunsen to Active Directory, and discovering why root got bounced by the user-setup script, Active-Directory logins also failed there & in managing to sort that out, I found the reason..

"Average Joe Newbie" won't have the first clue though.

In terms of any BUG there might be, as opposed to "Bunselabs Policy", the BUG is that having enabled the root account, you should get a visible ERROR MESSAGE when graphical root login fails. Either that or it should work (like it does with any vanilla Debian DE install).

Something along the lines of "Graphical login for the root account has been disabled because it's deemed to be too risky. If you really MUST enable it, please refer to (some document provided), otherwise CTRL+ALT+F1 & login at a TTY" That document can point out more reasons not to do it and explain how to remove the check for root at the start of bl-user-setup. It can be placed somewhere non-obvious, so casual users won't haoppen across it, maybe in /root. But no feedback for filed logins isn't on, a NORMAL failed login for a normal user will give at least some "authentication failure" message.. "username or password not found" something.. so they know they made a typo.

Last edited by Bearded_Blunder (2019-01-10 06:57:39)

Blessed is he who expecteth nothing, for he shall not be disappointed...If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Re: Root cannot start graphical session

Bearded_Blunder wrote:

In terms of any BUG there might be, as opposed to "Bunselabs Policy", the BUG is that having enabled the root account, you should get a visible ERROR MESSAGE when graphical root login fails. Either that or it should work (like it does with any vanilla Debian DE install).

See my post above, which was composed over the course of the afternoon, other stuff intervening. Root is able to run startx and get a minimal graphical environment. If LightDM doesn't allow a direct root login that's LightDM's doing, not ours.

Anyway, my own test confirmed IMO that our implementation of the user setup is not responsible for this behaviour, so it's not a BL bug.

Re: Root cannot start graphical session

Well I'm going back to my experience with Jessie here, tbh I haven't looked closely at the setup arrangements with Stretch/Helium, but certainly in the former case, you got denied a login and returned to the greeter because bl-user-setup returned a non-zero exit code.

Either/any of commenting out the line calling bl-user-setup, editing bl-user-setup to omit the test for root, or switching dm got you a graphical login as root. Is that no longer the case in your testing?

Blessed is he who expecteth nothing, for he shall not be disappointed...If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Re: Root cannot start graphical session

Yes, the implementation of bl-user-setup has changed since BL Hydrogen (jessie). In the past it was triggered from LightDM, but in Helium it's /etc/X11/Xsession.d/22bunsen-user-setup as I posted above.

But, to repeat, what would you expect to be able to do with a graphical root session that you can't do by running a file manager, text editor or terminal as root, which you can already do from a normal user session?

Re: Root cannot start graphical session

Absolutely nothing, except choose to the way I could with plain Debian XFCE, LXDE, LXQT etc. It's that "WTF?" moment if someone enables the root account then is faced with it "not working" with no clue as to why I think is "unfriendly".

TBH I generally set up Debian with locked root and sudo myself anyhow, I've set Bunsen up via netinstalls so many times the key presses are habit. If I unlock root on one of the desktops offered in tasksel there's no mysterious surprises at the default login screen if I subsequently unlock root is all.

Blessed is he who expecteth nothing, for he shall not be disappointed...If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Re: Root cannot start graphical session

That seems to indicate just how rarely I try it, I'm not sure I have since Hydrogen. If so I might have another shot at Active Directory integration, maybe it'll also be less involved than it used to be. Also if so.. then this whole topic needs

mv topic /dev/null

Blessed is he who expecteth nothing, for he shall not be disappointed...If there's an obscure or silly way to break it, but you don't know what.. Just ask me